Client Credentials flow with K2 Cloud with Odata, Workflow REST or SCIM

This guide outlines the steps to using the Client Credentials Flow for accessing Nintex K2 Cloud's OData, Workflow REST, or SCIM APIs.

Before you begin:

Steps:

  1. Onboarding:

    • Open a support ticket with Nintex requesting the onboarding of the Client Credentials Flow for your environment.
    • Provide the SHA256 hash of your the client secret.
    • https://help.nintex.com/en-US/k2cloud/userguide/current/Content/IdProviders/ClientCredentials.htm

    • You can Generate the secret hash from a Client Secret value in a .NET console application. The onboarding team does not need the actual secret value, only the hash of it.

      Use the following steps and code example to generate the hash:

      1. Add the IdentityModel NuGet package.
      2. Add the IdentityModel library reference in the using section of the class:
      Copy

      Sample code to generate a hash of your Client Secret

      using IdentityModel;
          .
          .
          .
          /* Inside a method call */
          var mysecret = "my secret value I am not sharing";
          var encryptedSecret = mysecret.ToSha256();
          Console.WriteLine(encryptedSecret);
          Console.ReadLine();

  2. Receive Credentials:

    • Upon approval, Nintex will provide you with:
      • Client ID (starting with idt.cc.{randomstringhere})
      • Token endpoint URL (e.g., https://login.onk2.com/{guidhere}/connect/token)

  3. Testing with Postman:

    • Create a new GET request in Postman
    • Enter the URL to you Odata endpoint, i.e.: https://{k2cloudurl}/api/odatav4/v4/testsmartboxsmoes
    • Select the Authorization tab and Select Oauth 2.0
    • Set the following:
      • Access Token URL: Your token endpoint URL (https://login.onk2.com/{guidhere}/connect/token)
      • grant_typeclient credentials
      • client_id: The provided Client ID from the support ticket
      • client_secret: Your original client secret that you had chose (not the SHA256 hash that was provided to nintex)
      • scope:
        • For OData: https://api.k2.com/
        • For SCIM (if available): Check with Nintex for the appropriate scope
      • Client Authentication: Send client credentials in body

  4. Get Access Token:

    • Click "Get New Access Token" in Postman.
    • The response will contain an access_token.
    • Click the 'Use Token'

  5. Use the Access Token:

    • Click 'Send' to send request to your Odata endpoint with the retrieved token


Additional Notes:

  • For production use, consider storing the Client ID and Client Secret securely and avoid hardcoding them.
  • You may be able to access The .well-known endpoint by appending the following to your url to see more information, i.e.
    • https://login.onk2.com/{guidhere}/.well-known/openid-configuration
  • This guide assumes basic understanding of OAuth and using tools like Postman.
  • If using workflow REST, usually authorization_code with browser login would be applicable, however you can also use client credentials; but it will be tied to a K2SQL:ClientCredentialsApp account and will only see tasks/workflows base on permissions and tasks assigned to this account.

Comments

Post a Comment

Popular posts from this blog

Blocking Error during K2 5.6 Server migration

  Error Encountered: Error during K2 5.6 migration to a new machine, keeping the SQL server unchanged. Error message:                       20:49:59:>> Certificates.FindCertificate: Found 1 certificates                       20:49:59:>> RegisterShard.Execute: Adding additonal connection string parameters to config service shard                       20:49:59:>> AdditionalConnectionStringParameters.AmendSQLConnectionString: Additional connection string parameter value: empty                       20:49:59:>> AdditionalConnectionStringParameters.AmendSQLConnectionString: Additional ConnectionString Parameters is empty                       20:50:04:>> AnalyzableAction.PopulateValidate...
Read more

Blocking error RegisterServiceInstanceObjects when upgrading to K2 5.6/5.7

K2 5.7 Upgrade Error: Blocking Issue with Orphaned Service Instances Error Message:             07:30:39:>> AuthorizationBase.RegisterServiceInstanceObjects: Current ServiceType and ServiceInstance details: ServiceType.Guid = GUIDValue1. ServiceInstance.Guid = GUIDValue2 . ServiceInstance.Name = ServiceInstanceName             07:30:39:>> ConnectionHelper.GetServerInstance: Create 'AuthorizationClient' instance using ConnectionContext             07:30:39:>> AuthorizationBase.RegisterObject: Validate Parent             07:30:39:>> AuthorizationBase.Execute: Logged Error: Failed: System.Exception: Item 'GUIDValue1' does not exist    at SourceCode.Install.Package.Actions.Authorization.AuthorizationBase.RegisterObject(String name, Guid id, Guid parentID, Guid classID, String className, Boolean inherit, Boolean propagate, IIdentityReferenc...
Read more